md5 hash can be guessed

Actually, it is not as simple as what you describe. You should for one also know the tid of the term to which the user is subscribed, but obviously, that is not very hard to figure out. However, another part of the authentication string is the snid, which is the id of the subscription in the db table, and that's much harder to guess. So to unsubscribe someone, simply typing in a url based on the email address' md5 won't be sufficient.

However, I agree that you could write a script that would iterate through all possible snids in combination with the email hash and the tid. In that case, you could indeed unsubscribe a user.

I was aware of this when I wrote it, and I intended to get a better solution, but to be honest, I forgot.

What would you suggest? Some kind of secret word that the site admin should set in simplenews settings?

What about this:

   $rand = variable_get("simplenews_hash_rand", NULL);
   if ( $rand === NULL )
   {
        $rand = md5(uniqid(rand()));
        variable_set("simplenews_hash_rand", $rand);
   }
   $hash = md5($address . $rand);

Maybe we could make drupal_private_key reusable?

I've implemented this in eNewsletter as a stand alone module called Identity Hash.

You could use the module itself, or just take the code or ideas you need.

Yes, all you need is a private key.

fixed as suggested by flaviovs, introduced new function simplenews_private_key()